CitrixBleed 2 Vulnerability Actively Exploited
▼ Summary
– A new critical vulnerability called CitrixBleed 2 (CVE-2025-5777) in Citrix NetScaler ADC and Gateway devices allows attackers to bypass authentication, including MFA, and hijack sessions.
– The flaw, with a CVSS score of 9.3, impacts versions 14.1 (before 47.46) and 13.1 (before 59.19), and is being actively exploited in the wild.
– Researchers note similarities to the 2023 CitrixBleed flaw (CVE-2023-4966), which was widely exploited by ransomware and state-sponsored groups.
– Attackers exploit CitrixBleed 2 to hijack sessions, bypass MFA, and conduct reconnaissance, using tools like ADExplorer64.exe and VPN services to mask their activity.
– A third vulnerability (CVE-2025-6543), a memory overflow flaw with a CVSS score of 9.2, also affects NetScaler devices and has reportedly been exploited.
A newly flagged security flaw in Citrix NetScaler ADC and Gateway, already nicknamed CitrixBleed 2, is letting attackers bypass multifactor authentication (MFA) and hijack live sessions. Officially logged as CVE-2025-5777, the bug has a CVSS score of 9.3, marking it a high-risk threat for any unpatched system.
Security researcher Kevin Beaumont, who tracked the original CitrixBleed (CVE-2023-4966), points out that this version works much the same way: attackers get in by exploiting how Citrix handles session tokens, not cookies, which makes the attack surface bigger and harder to monitor.
Threat hunters at ReliaQuest have confirmed active exploitation, with attackers setting up unauthorized web sessions that skip normal login steps, clear evidence that MFA checks are being sidestepped.
More Flaws, Same Urgency: Fix It Now
Citrix also revealed two other bugs alongside CitrixBleed 2. CVE-2025-5349, rated 8.7, is an access control gap that could let attackers move deeper inside networks. And CVE-2025-6543, a memory overflow flaw scoring 9.2, can force critical systems offline if abused.
The affected versions are widespread: NetScaler ADC and Gateway builds 14.1 (before 47.46 or 43.56) and 13.1 (before 59.19 or 58.32). Security teams are urging companies to patch immediately, as INC Ransom-style attacks could follow the same playbook that made the first CitrixBleed so costly in 2023.
With signs of live breaches already out there, leaving these flaws unpatched gives attackers the keys to walk past your MFA, grab valid sessions, and stay hidden. For any company using Citrix gear, patching isn’t optional, it’s urgent.
(Source: InfoSecurity)
